Guda Blues6d ago

SSL certificates for things inside the lab

https://lemmy.zip/post/60882311

SSL certificates for things inside the lab - Lemmy.zip

Hello everyone. Need some opinions here. Does it worth all the trouble to make things like jellyfin and immich run with HTTPS for services that are only accesible in the LAN? I ask it 'cause, as far as I know, there is no way to put a valid certificate like let’s encrypt for a service that is not accessible from the net and I don’t plan to buy a certificate for myself. But I have some trouble with the rest of my family having issue with their browsers complaining about the lack of https every time a browser is updated. So, what would be the best solution?

Show threadplateee

I do DNS challenges with let’s encrypt for either host fqnds (for my kubes cluster) or wildcard for the few other services.

The trick is to do a subdomain off of a domain that you own (e.g. thing.lan.mydomain.com) this way, you can scope the DNS to only *.lan.mydomain.com if you’re conscious about scoped api security.

Using let’s encrypt is nice because you can have a valid ssl chain that android, iOS, windows, and Linux all trust with their default trusts without having to do something with a custom CA (ask me how awful that process can be).

Mar 17 at 12:55amWeb
Show threadxSikes5d ago
That sounds cool and kind of makes sense. I’m going to go learn more about this.
Show thread4am5d ago

Wildcard is actually good these days because you don’t have to set up DNS entries for your hostnames.

It’s not security, just obscurity - but in the age of crawlers, it’s helpful.

Also, you can use it internally for services on LAN and because LetsEncrypt is a CA everyone trusts, you don’t need to register a local CA (like a FreeIPA instance) with all your devices- which sometimes isn’t possible.

Show threadplateee5d ago

it’s not security, just obscurity

IIRC for my setup it’s a bit of both. My DNS API key is scoped to only handle the specific subdomain updates instead of my entire DNS account.

I still use a wildcard for that subdomain for non-kubernetes systems, but the cert plugins for kubes is excellent at handling a LE cert per lan fqdn.

You don’t need to register a local CA

This was my biggest reason to move to Let’s Encrypt. I have a Hashicorp Vault instance in my homelab for secrets and I tried using it for an internal CA (like how the lab at work is set up), but trying to get on every device and add the full Vault chain to each individual system’s trust store was massive pain in the ass.